Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course,
available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest
high-quality content, which is written by professional journalists,
with the help of editors, graphic designers, and our site production
and I.T. staff, as well as many other talented people who work around the clock
for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or
to simply disable your Ad Blocker while visiting this site.

While they share many common causes, the world's largest tech companies are not above taking veiled and not-so-veiled potshots at each other, as the latest sniping between Google and Microsoft illustrates.

Earlier this month, a researcher with Google's Project Zero security team posted an extensive analysis of a Windows software bug, along the way criticizing Microsoft's policy of being slow to release patches for older versions of its operating system. This week, Microsoft fired back by publishing details about a Chrome Web browser vulnerability, and then taking Google to task for disclosing details about the flaw before pushing out a fix to end users.

Technology companies generally adhere to a process known as coordinated vulnerability disclosure, in which vendors are first notified about hardware or software flaws ahead of a public release of information. This is aimed at giving companies time to develop and release patches before details about vulnerabilities become widely available to the public as well as to hackers.

More than four years ago, however, Google said it would release public details about some bugs more quickly so end users could adopt fixes if vendors didn't fix critical vulnerabilities within seven days. That decision prompted accusations from Microsoft that Google was increasing, rather than reducing, potential security risks to customers.

'Problematic' Vulnerability Disclosures

In its latest dig at Google, Microsoft on Wednesday published a lengthy analysis of an Offensive Security Research (OSR) team investigation into possible vulnerabilities with Google's Chrome Web browser. The analysis described the team's discovery of a Chrome remote code execution vulnerability that could allow attackers to steal saved passwords, inject arbitrary JavaScript into Web pages, or navigate to other Web pages in the background using victims' browsers.

Using the handle "msft-mmpc," the unnamed Microsoft author also noted that Google's method for dealing with Chrome bugs could "result in the public disclosure of details for security flaws before fixes are pushed to customers."

The author said that after Microsoft informed Google about the vulnerability on Sept. 14, Google showed an "impressive" turnaround by committing a bug fix in four days and releasing a fixed build three days later. However, the author added that Google also made the patch source code available on GitHub before the fix was made available to end users.

"Although the fix for this issue does not immediately give away the underlying vulnerability, other cases can be less subtle," the Microsoft researcher said, adding later that "it is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available."

'Trolling' and One-Upmanship

This week's post by Microsoft came on the heels of an Oct. 5 analysis by Google Project Zero researcher Mateusz Jurczyk of a Windows vulnerability that Microsoft fixed first for users running the latest version of Windows 10, leaving users with older versions of the operating system with a "false sense of security."

By responding with its latest critique of Google Chrome security, Microsoft chose a "petty" tactic, technology writer Paul Thurrott wrote yesterday. "What Microsoft should have done is take the high ground," Thurrott said. "Do the right thing for your shared customers and just shut up about it."

Engadget echoed those comments yesterday, describing Google's and Microsoft's security-focused critiques of each other as "trolling," questioning the benefits of such one-upmanship. The consensus seems to be that perhaps it's time for both companies to renew their focus on the true prize: the security of their end users and customers.